Apache proxy configuration question.

[reddragdiva]

A question for work. We can ssh into our intranet via a particular host (call it foo). I'm using the Lotus Notes webmail (which is 1000% nicer than the software client, and I now use it all the time by preference) and can easily access our internal IRC, source control and intranet websites via ssh tunnelling.

The intranet website access requires foo to be running a proxy. This is of course easy in Apache 2.0:

ProxyRequests On
ProxyVia On
ProxyDomain .internal.example.com

<Proxy *>
Order deny,allow
Deny from all
Allow from 172.26 10.1 localhost
</Proxy>

172.26.*.* and 10.1.*.* are intranet IPs. (Yes, we have multiple RFC-1918 ranges.)

All well and good. However, foo can thus be used as a proxy to access outside websites, in a manner that bypasses our WebSense filter (which is running as a transparent proxy). WebSense is inherently patronising and braindead rubbish that is not fit for purpose, but we don't want to upset the IT department unduly, and outside access is not after all what the proxy is there for. Also, not all intranet sites are in .internal.example.com — I need access control based on IP range.

So — how do I tell the proxy to only allow itself to be used for access to intranet IP ranges? What manual page did I miss?

(I could carefully construct a ProxyBlock entry to block everything except our ranges, but that's more than a little laborious. I could do it server-by-server using ProxyPass, but that's way too much like work and I can't be sure my whitelist would ever be complete — I just want to allow it to proxy to intranet IP ranges but not to other IPs.)

Has anyone done this? How did you do it?

Comments

[vatine]

Hypothetically, I would possibly use Squid instead of Apache. Although this means "one more server".

Simply define an ACL (call it "bob"):

acl bob dst 172.26.0.0/16
acl bob dst 10.1.0.0/16

http_access allow bob

This is untested, but unless read the docs wrong, that should be OK, especially if you train Squid to bind to the loopback interface instead of anything else.

[rasilon-x.livejournal.com]

Unless those braincells have been recycled, you're probably looking at something like replacing <proxy *> with <proxy 172.26.*.* and 10.1.*.*>

But I may be talking crap.

[reddragdiva]

Syntax error on line 122 of /usr/local/apache2/conf/httpd.conf:
Multiple arguments not (yet) supported.

I tried with just <proxy 172.26.*.*>, and it still allows access to blocked external sites.

[rasilon-x.livejournal.com]

You may need a <proxy *> Piss off </proxy> bit to make that stick.

Or there's telling it to forward everything to the websense, except the internal ranges? (ProxyRemote and NoProxy, I think.)

[rasilon-x.livejournal.com]

It looks like it needs to be fully qualified, sorry.

So

<proxy *>
  Order Deny,Allow
  Deny from all
</proxy>
<proxy http://172.26.*.*>
  Order deny,allow
  Deny from all
  Allow from 172.26 10.1 localhost
</proxy>
<proxy http://10.1.*.*>
  Order deny,allow
  Deny from all
  Allow from 172.26 10.1 localhost
</proxy>

Maybe...

[reddragdiva]

Sadly that blocks everything. I suspect it would let through a site called "http://172.26.*.*" or "http://10.1.*.*".

I fear mod_rewrite is the answer.

/me lubricates nether regions with own tears

[http://users.livejournal.com/_nicolai_/]

I used Squid, which is much better as a proxy than Apache.

[reddragdiva]

Faff percentage too high. I don't need an all-singing all-dancing solution, just something to let me work remotely without too much fallout.

i.e., if IT make a fuss then those of us with access swearing up and down we won't be naughty with it would be easier than bothering to install and set up Squid.

Oh if only it weren't the case...

[elpenguin.livejournal.com]

...but the answer is mod_rewrite.

See the [P] flag for proxying and tack on as many RewriteConds as you want.

Or if you want it to work in tandem with your existing proxy configuration, use a rewritecond to check the url and [F] to kick them out before it hits mod_proxy (which is called after mod_rewrite).

Re: Oh if only it weren't the case...

[reddragdiva]

Sounds quite plausible, actually. The ideal would be for it to allow access to intranet sites, and if it gets passed an external site then send it out through the websense. Unfortunately I don't have an IP for that, it's a transparent proxy.

Anything to do with mod_rewrite is fundamentally reminiscent of pounding involuntary anal dilation with a jackhammer, but we do use it extensively so that should be eminently manageable even if my arse isn't feeling up to it right at this moment.

[fluffymark]

Could you firewall the proxy so it can only see the web pages you want it to? Might be easier than trying to munge Apache.

[thorfinn]

Alternately, you could firewall outgoing web traffic on non RFC1918 ranges on foo.

Or possibly bind apache to the internal interface only, which hopefully might mean its requests go out the internal interface, which presumably will go out via websense?

Or send the default network route out the internal interface to do something similar, assuming that doesn't break everything horribly.

Or, just use squid. Squid isn't really any harder than apache, TBH, and if you just want a proxy, squid is much much much more fit-for-purpose. Apache is a great webserver, but as a proxy, it really sucks.